10. Planning a Proper Sites and Services Architecture
As
stated earlier, as with its predecessors, Exchange Server 2007 and
Exchange Server 2010, Exchange Server 2013 has the ability to natively
utilize Active Directory Sites and Services for routing mail, rather
than having to implement and maintain an independent routing topology
using connectors.
Administrators
should be aware of the best practices for designing a proper Sites and
Services architecture to support Exchange Server 2013. From a
high-level perspective, within AD it is necessary
for administrators to create sites, allocate subnets to sites, and then
create site links between sites for communication to occur.
Active Directory Sites
The
basic unit of AD replication is known as the site. Not to be confused
with physical sites or Exchange Server sites, the AD site is simply a
group of domain controllers connected by high-speed network
connections. Each site is established to more effectively replicate
directory information across the network. In a nutshell, domain
controllers within a single site will, by default, replicate more often
than those that exist in other sites. The concept of the site
constitutes the centerpiece of replication design in AD.
Associating Subnets with Sites
In
most cases, a separate instance of a site in AD physically resides on a
separate subnet from other sites. This idea stems from the concept that
the site topology most often mimics, or should mimic, the physical
network infrastructure of an environment.
In
AD, sites are associated with their respective subnets to allow for the
intelligent assignment of users to their respective domain controllers.
For example, consider the design shown in Figure 2.
Figure 2. Sample Exchange Server and Client site assignment.
In
this example, Server-EX01 is a physical member of the 192.168.115.0/24
subnet. Server-EX02 and Client01 are both members of the
192.168.116.0/24 subnet. Based on the subnets, Server-EX01 will
automatically be assigned to the domain controller Server01 in SITE01,
and Server-EX02 and Client01 will be assigned to the domain controller
in SITE02.
Using Site Links
By
default, the creation of two sites in AD does not automatically create
a connection linking the two sites. This type of functionality must be
manually implemented by the creation of a site link.
A
site link is essentially a connection that joins together two sites and
allows for replication traffic to flow from one site to another.
Multiple site links can be set up and should normally follow the wide
area network (WAN) lines of your organization. Multiple site links also
assure redundancy so that if one link goes down, replication traffic
has an alternate path.
Site link
replication schedules can be modified to fit the requirements of your
organization. If, for example, the WAN link is saturated during the
day, a schedule can be established to replicate information at night.
This functionality allows you to easily adjust site links to the needs
of any WAN design.
Exchange Server 2013 and Site Membership
After
the AD site topology has been created, including adding the appropriate
subnets to sites and creating site links between sites, an
administrator can now take Exchange Server placement into consideration.
Similar
to AD domain controllers, Exchange Server 2013 servers will be
associated with sites in AD based on their IP address and subnet mask.
As stated earlier, there should be at least one domain
controller/global catalog server residing in each site that an Exchange
Server 2013 server resides.
Note
If an AD infrastructure already
exists prior to the design of the Exchange Server 2013 environment,
there might be a need to make changes to the AD routing topology to
support the Exchange routing requirements.
Establishing a Proper Global Catalog Placement Strategy
Another
area of importance is the design and placement of global catalog
servers within the environment. The importance of the global catalog
server cannot be overstated. The global catalog is used for the address
list that users see when they are addressing a message and by Exchange
servers every time a message is delivered. If a global catalog server
is not available, the recipient’s address will not resolve when users
address a message, and the message cannot be delivered.
There
should be at least one global catalog server in every AD site that
contains an Exchange Server 2013 server. The recommendation from
Microsoft is as follows:
If Active
Directory is running on a 32-bit system, the recommendation is 4:1—for
every four processor cores in your Mailbox servers, you should have one
processor core in a global catalog server. For
example, if you have two Mailbox servers, each with dual quad-core
processors, that is 16 processor cores. You should have at least 4
processor cores worth of global catalog computing, so 1 quad core
server, or 2 dual-core servers should do the trick.
If
Active Directory is running on a 64-bit system, the recommended ratio
is 1:8. However, you must have enough memory installed on the server to
cache the entire Active Directory database in memory. To confirm the
size of your Active Directory database, look at the size of the %WINDIR%\NTDS\NTDS.DIT
file.
For
optimization, plan on having a global catalog server close to the
clients to provide efficient address list access. Making all domain
controller servers global catalog servers is recommended for an
organization that has a single AD domain model and a single site.
Otherwise, for multidomain models, all domain controllers can be
configured as global catalog servers except for the domain controller hosting the Infrastructure Master FSMO role.
Note
It is a best practice to have a minimum of at least two global catalog servers within an AD infrastructure.
11. Understanding Role Based Access Control
Exchange Server 2013 uses the Role Based Access Control
(RBAC) permissions model on the Mailbox and Client Access server roles.
As with Exchange Server 2010, Exchange Server 2013 provides predefined
roles, role groups, and role assignment policies to facilitate the
assignment of permissions to administrators and users.
Using
RBAC allows you to easily control what your administrators and users
can (and cannot) access. Rather than applying permissions directly to
user accounts, the permissions are applied directly to the role. To
facilitate assigning multiple roles to administrators, Exchange Server
2013 includes role groups. Role groups can contain Active Directory
users, universal security groups, and other role groups. Roles assigned
to a role group grant permissions to all members of the role group.
In
addition, role assignments can be “scoped” to include only specific
resources within the organization. The role (and the permissions
associated with it) allows certain tasks to be accomplished, while the
role scope determines what resources can be administered.
The RBAC model role groups consist of the following:
• Management role—A container for grouping management role entries.
• Management role entries—A
cmdlet (including parameters) that is added to a management role. This
process grants rights to manage or view the objects associated with
that cmdlet.
• Management role assignment—The
assignment of a management role to a particular user or a universal
security group. This grants the user (or the members of the security
group) the ability to perform the management role entries in the
management role that they are assigned to.
• Management role scope—Scopes
are used to target the specific object or objects that the management
role assignment is allowed to control. A management role scope can
include servers, organizational units, filters on server or recipient
objects, and more.
As described by Microsoft, this process allows complete control of the who (management role assignment), the what (management role and management role entries), and the where (management role scope) in the security model.
Role Based Access Control is not used on Edge Transport servers, as these servers are designed to sit outside the domain.
Exchange
Server 2013 provides several built-in management role groups that
cannot be modified, nor can the management role entries be configured
on them. However, the scope of the built-in management roles can be modified.
The following built-in management role groups are included by default in Exchange Server 2013:
• Organization Management—Administrators
assigned to this role group have administrative access to the entire
Exchange Server 2013 organization, and can perform almost any task
against any Exchange Server 2013 object, with some exceptions, such as
the Discovery Management role. Even if a task can only be completed by
another role, members of the Organization Management role group have
the ability to add themselves to any other role.
As
this role group is very powerful, it is recommended that it only be
assigned to users who are responsible for organizational-level
administration. Changes made by this role can potentially impact the
entire Exchange organization.
• View-Only Organization Management—Members
of this role group can view the properties of any object in the
Exchange organization but cannot modify the properties of any object.
This
role group is useful for personnel who need to be able to view the
configuration of objects within the environment but who do not need the
ability to add new or modify existing objects.
• Recipient Management—Administrators
assigned to this role group have the ability to create or modify
Exchange Server 2013 recipients within the organization.
• UM Management—Administrators
assigned to this role group can manage features in the Exchange Server
2013 organization such as Unified Messaging (UM) server configuration,
UM properties on mailboxes, UM prompts, and UM auto attendant
configuration.
• Help Desk—Members
of this role group can view and modify the Microsoft Office Outlook Web
App options of any user in the organization, such as the user’s display
name, address, and phone number. However, it does not include options
that aren’t available in Outlook Web App options, such as modifying the
size of mailboxes or configuring the mailbox database.
• Hygiene Management—Members of this role group can configure the antivirus and antispam features of Exchange Server 2013.
• Records Management—Administrators
assigned to this role group have the ability to configure compliance
features, including transport rules, message classifications, retention
policy tags, and others.
This role
group is often assigned to administrators or members of an
organization’s Legal Department who need the ability to view and modify
compliance features in an organization.
• Discovery Management—Administrators
assigned to this role group have the ability to perform searches of
mailboxes in the Exchange organization for data that meets specific
criteria and can also configure legal holds on mailboxes.
• Public Folder Management—Member of this role group can manage Exchange Server 2013 public folders.
• Server Management—Administrators
assigned to this role group can configure Unified Messaging, client
access, server-specific configuration of transport, and mailbox
features, such as database copies, certificates, transport queues and
Send connectors, virtual directories, and client access protocols.
• Delegated Setup—Members
of this role group have the ability to deploy servers running Exchange
Server 2013 that have been provisioned by a member of the Organization
Management role group.
• Compliance Management—Administrators
assigned to this role group have the ability to configure and manage
Exchange compliance settings in accordance with their organization’s
policy.
If the Exchange Server 2013
built-in role groups don’t match the job functions of the
organization’s administrators, role groups can be created and
customized.
Note
Membership in the Organization Management
role group should be limited to personnel who have advanced knowledge
of the Exchange Server operating system and your particular network
environment.
Exchange Server 2013 also provides
role assignment policies to control the settings that users can
configure on their personal mailboxes and distribution groups. The
policies can control the users’ ability to change their display name,
contact information, membership in distribution
groups, or voice mail settings. Mailboxes are assigned a default role
assignment policy if an alternative role assignment policy is not
specified.
The Exchange Administration Center (EAC) can be used to manage role groups and role assignment policies.